(Tribune illustration)

Advocate Medical Group, already under federal and state investigation after the theft of computers containing personal information on millions of people, is now facing a class-action lawsuit from patients who say the Downers Grove-based physician group didn’t do enough to protect their private data.

The suit, filed in Cook County Circuit Court, says the health care nonprofit violated privacy regulations by failing to use encryption and other security measures on the four computers that were stolen from its Park Ridge offices in July. The computers contained information on more than 4 million patients.

Names, addresses, dates of birth and Social Security numbers are risk on the computers, which were password-protected but not encrypted, Advocate said. While full medical records were not on the computers, medical data for some patients also is at risk, including diagnoses, medical record numbers, medical service codes and health insurance information.

The breach, revealed last month, affects patients seen by Advocate Medical Group physicians from the early 1990s through July. It’s the second-largest loss of unsecured protected health information reported to the Department of Health and Human Services since it implemented a mandatory notification rule in 2009.

In a statement, Advocate took issue with the lawsuit but said “we deeply regret any inconvenience” the breach caused.

“We want to reassure our patients that we do not believe the data was targeted and we have no information that leads us to believe that the information has been misused,” the statement read. “Thus, we feel confident the facts will demonstrate that the lawsuit is without merit.”

Tribune reporter Peter Frost contributed.

mitsmith@tribune.com